Technical paper: The ZeroAccess rootkit under the microscope

Post navigation

ZeroAccess is a sophisticated kernel-mode rootkit that is quickly becoming one of the most widespread malware threats.

In a new technical paper from SophosLabs, malware researcher James Wyke explores the ZeroAccess threat, examines how it works and looks at what the malware’s ultimate goal is.

ZeroAccess has a resilient peer-to-peer command and control infrastructure, runs on both 32-bit and 64-bit versions of Windows, and has been constantly updated with new functionality, allowing it to thrive on modern networks and operating systems.

From the distribution mechanisms used to spread it, through the installation procedure, memory residence and payload, the technical paper offers a deep insight into how ZeroAccess works.

Because people have asked – Yes, Sophos Anti-Virus can detect, block and remediate this rootkit and the various malware which uses it:

1. Infected files will be detected and blocked as Mal/ZAccess-x, Troj/ZAccess-x, Mal/Sirefef-x or Troj/Sirefef-x , where x denotes an alphabetic suffix (e.g. -A, -B). On a properly-protected system, this should prevent infection in the first place.

2. Active processes will be reported and blocked by the Sophos run-time HIPS (Host Intrusion Detection System) as HPmal/ZAccess-A. This gives an extra layer of safety by providing proactive detection and prevention even of samples which evade detection in (1) above.

3. The Zero Access rootkit itself will be detected in kernel memory, and can be cleaned up, as Troj/ZAKmem-A. This means that the malware can be remediated even on systems where the rootkit is already active and stealthing.

"Yes, Sophos Anti-Virus can detect, block and remediate this rootkit and the various malware which uses it" – but does this also apply to the free virus removal toolkit you kindly provide for download ?

The user named Faz also asked if the product "remediates" it. This is a key question and you did not address this.

I just ran the free AV Removal tool and it identified 3 malwares, including this one and referred me back to sophos. So there was no remediation. What is the point, to identify and not fix? Might generate more sales if you'd at least point people in the direction of a product that works if the so-called "removal" tool doesn't actually "remove."

Thanks for the report. Very useful. My XP SP3 desktop was infected by this problem last week. The report and your free virus remova tool have been very helpful.

FYI.. You can see the directories that hide the files if you run Windows defragmentation. The files are lsited in the final report as ones that can't be accessed.
I still need to get rid of theses files and folders.

Sophos did detect and remove, a competitor Kaspersky did not detect and I am most impressed that Sophos did. By the way the product Microsoft security essentials did not detect this threat result infection on the device. Thumbs up 🙂